AppL No: 09/759,089 

Reply to Office Action of April 5, 2006 



REMARKS/ARGUMENTS 

As background, this is the fourth Office Action issued in this case with one RCE 
having been filed to continue the prosecution. In the prior Amendment, Applicant 
amended the independent claims to include limitations that were presented in the 
originally filed dependent claims and also to clarify previously submitted claim 
language. However, another search was performed by the Examiner, and with the 
April 5, 2006 Office Action, the main references that have been used previously by the 
Examiner from the first Office Action as anticipatory references have been 
supplemented with newly cited references to again reject the pending claims (i.e., all 
35 U.S.C. §102 rejections have been withdrawn and the substantive rejections are 
now 35 U.S.C, §103 rejections). Applicant believes this Amendment addresses and 
distinguishes all the cited references but objects to new references being added so 
late in the prosecution process when the claim amendments did not introduce new 
issues that required additional searching. 

Prior to this Amendment, Claims 1-4, 6-10, 12-15, 17-36, 38-59, and 61-68 
were pending in the patent application. 

Independent claim 1 is amended to clarify the antecedent basis for the 
"preselected criterion" limitation. Claim 1 is also amended to stress that the raw 
TCP/IP data associated with a complete communication session is monitored, stored, 
and tested such that the preselected criterion may be located in the raw TCP/IP data 
such as the TCP control information, the TCP state information, and also the data 
payioad. Support: for this amendment can be found in lines 1-5 of page 3, lines 11-15 
of page 4, and lines 10-16 of page 5, and this amendment helps distinguish the 
method of claim 1 from prior filtering/monitoring that is performed solely on the control 
information or solely on data in a single data packet. Dependent claims 4 and 19 are 
amended to clarify that a user can assign a weight to a regular expression of a 
criterion. 
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Independent claim 34 is amended to include the limitations of dependent claims 
39 and 41 and additional clarifying language. Dependent claims 38-41 and 43 are 
cancelled. 

Independent claim 55 is amended to stress the normalizing function of the 
invention as discussed in Applicant's specification beginning at page 5, line 14. In this 
manner, the method allows a single set of criteria or regular expressions to be applied 
to network communications regardless of the original format or protocol of the 
communications. 

Dependent claim 68 is amended to further define the use of protocol matching 
to enhance processing of a data stream as indicated at page 5. lines 10-16 of 
Applicant's specification. 

Dependent claims 31, 33, 52, 54, and 64 are amended to clarify that reporting 
of communications that include user-selected criterion or exceed a threshold includes 
providing a view of the stored TCP/IP network communication (e.g., such as the TCP 
session user data payload) as it was seen and/or generated by the monitored network 
user (e.g., the e-mail, the web page, the pdf attachment, the text document, or the like 
is rendered rather than simply displaying string of illegible characters). No new matter 
is added by this amendment with support found at least at page 12, lines 12-17. 

After entry of the Amendment, claims 1-4,6-10, 12-15, 17-36,42,44-59, and 
61-68 remain for consideration by the Examiner. 

Rejections under 35 U.S.C §112 

The Office Action rejected claims 1, 2, 6, 14, 27, 28, 30, 32, and 39 as being 
indefinite due to lack of antecedent basis for the limitation "the preselected criterion." 
Claim 1 is amended to address this rejection as suggested by the Examiner. 
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Rejections under 35 U.S.C. §103 

The Office Action rejected claims 1-4, 6-8, 12, 13. 15, 17-21, 23. 27-33, and 65- 
67 under 35 U.S,C. §1 03(a) as being unpatentabie over 'Implementing a Generalized 
Tool for Network Monitoring" ("Ranum") in view of U.S. Pat. No. 6,266,664 ("Russel!- 
Falla") and U.S, Pat. No. 6,453,345 {"Trcka"). This rejection is traversed based on the 
following remarks. 

Before turning to the rejections of claim 1 presented in the Office Action, it may 
be useful to explain why the ciaim limitations added with this Amendment distinguish 
the method of claim 1 from the three cited references. As amended, claim 1 calls for 
"monitoring TCP/IP network communications" and "storing raw TCP/IP session data 
for said TCP/IP network communications on disk." Then, the stored communications 
are tested for a preselected criterion "wherein the raw TCP/IP session data including 
all TCP control and payioad data is tested for the presence of the at least one 
preselected criterion." This process is discussed in Applicant's specification at least 
on page 4, beginning at line 1 1 where the method is involves storing each TCP/IP half- 
session to a file or log and then searching the raw data "for the user-selected 
criterion/' In other words, monitoring, searching, and communication storing is 
performed by processing TCP control information and TCP payloads or the actual user 
data together (e.g., processing a complete or whole captured network session rather 
than select processing of portions of network traffic). 

In contrast, Trcka describes a simple filtering mechanism (see, for example, coL 
15, beginning at line 45), This filtering mechanism is applied to each data packet on 
an individual basis, and, as a result, ignores control data and would produce a very 
different result than a testing process that looks at multiple packets or data payloads of 
a complete communication or session along with control data. Ranum's N-Code 
packer filters are also applied to individual TCP packets and also to the state of the 
TCP connection. Hence, Ranum does not describe or teach the monitoring, storing, 
and testing of claim 1 because it does not teach applying its filtering mechanism or H- 
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Code to a complete bi-directional TCP session (e.g., "both TCP control data and at 
least one user data payload is tested" fronn raw TCP/IP session data for monitored 
network communications). If Trcka and Ranum were considered together, these 
references may teach a system that could filter network data based on TCP control 
data. However, Trcka combined with Ranum would not teach the testing of claim 1 
because there is no teaching to evaluate both TCP control data and user data 
payloads. Russetl-Falla fails to overcome this deficiency of Trcka and Ranum. 
Therefore, claim 1 and claims 2-4, 6-8, 12, 13. 15, 17-21, 23, 27-33, and 65-67, which 
depend from claim 1, are believed allowable over the combined teaching of the three 
cited references. 

Further, in the September 29, 2005 Office Action, claim 1 was rejected as being 
unpatentable over the combination of Russell-Falla and Trcka, !n Applicant's 
December 28, 2005 Amendment, claim 1 was amended to add the "receiving" step to 
further clarify that the monitoring was performed based on user input and to modify the 
"testing" step to further define the preselected criterion relative to the received user 
input. Further, the lack of teaching or deficiencies of Russell-Falia and Trcka were 
discussed in detail, and Applicant argued that claim 1 was ailowabie over these two 
references. One of these deficiencies is the lack of teaching that the storing of the 
communications is performed only If the presence of said at least one preselected 
criterion is determined," In this conditional storing, the preselected criterion is defined 
by a user, is associated with the user selected subject matter category, and comprises 
one or more regular expressions. The April 5, 2006 Office Action admits at the bottom 
of page 4 that Ranum has deficiencies but argues that Trcka and Russell-Falla 
overcome these deficiencies. Therefore, it may be useful to first discuss Russell-Falla 
and Trcka and their teachings relative to claim 1 . 

Specifically, claim 1 calls for storing of the communications when a preselected 
criterion is determined and calls for the user to define the criterion. Russell-Falla fails 
to teach either of these features of the claimed invention. Further, claim 1 calls for 
'' receiving input from a user selecting a subject matter categon/ for use in monitoring 
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network communications/' and this limitation is not shown or suggested by Russell- 
Falla . This is a significant failing of Russell-Falia because the Office Action admits that 
Ranum fails to disclose this user selection of a subject matter category but argues that 
RusselUFalla for providing the necessary teaching. As discussed below, Applicant 
strongly disagrees. Further, claims 1 calls for the criterion to be associated with the 
selected subject matter category and regular expressions to be associated with each 
category " hence, the user is able to select a category and define criterion including 
regular expressions. These features are not shown or suggested by Russell-Falla 
which, in contrast, teaches using a neural network to learn from inspecting thousands 
of web pages. 

As noted in the prior Amendments, Russell-Falla does not suggest any means 
by which the user can select a subject matter category for use in monitoring network 
communications and defining a preselected criterion associated with the selected 
subject matter category. Hence, Russell-Falia fails to teach the receiving, testing, 
deleting, and storing steps of claim 1 . Instead, Russell-Falla determines the contents 
of database 30 by a neural network or other automated analysis of large numbers of 
content examples. Applicant has found that the complexity of this analysis can be 
avoided by allowing a user to define predetermined expressions, as called for in claim 
1 . Moreover, user-defined criteria enable the user to express control and purpose in 
the defined criteria and so enable improved performance. 

Applicant has urged the Examiner to carefully consider Russell-Faila's teaching 
from coL 6, line 49 to col. 8, line 3. In this section, Russell-Falla describes in detail its 
use of a neural-network in which each term in a list is initially assigned a weight "at 
random" and an algorithm is used to "arrive at a set of weightings" based on 
processing of "10,000 web pages." No user input Is provided at a!l during this 
learning process as described in Russell-Falla as "training pages are statistically 
analyzed." in direct contrast to this teaching of automated learning based on 
processing large volumes of web pages, the method of claim 1 calls for testing stored 
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communications for the presence of user-defined criterion associated with user 
selected subject matter category and including regular expressions. Hence, the 
"testing" element of claim 1 is not shown or suggested by Russell-Falla. 

At the top of page 5, the Office Action cites Russell-Falla at cot. 4, lines 45-60, 
col. 4, line 61 to coL 5, line 35, and at coL 5, lines 3-35 for teaching the use of subject 
matter categories for use in monitoring networks, testing communications, and that the 
criterion include regular expressions. At col. 4, lines 45-60, Russell-Falla discusses 
that its process can be used for differing content, such as pornography, racism, and 
the like. However, there is no teaching of a user selecting a subject matter category 
(where does the user provide input selecting one of these differing content types as a 
subject matter category?) or defining a criterion including one or more regular 
expressions (where are criterion for each of these contents said to be user defined and 
to include at least one regular expression?). At col. 4, line 61 to cof. 5, line 35, 
Russell-Falla discusses comparing regular expressions from a web page that is 
analyzed before display on a user's display screen for matches with regular 
expressions in a database. There is no discussion here that a user selects a subject 
matter category. Therefore, the receiving step is not shown. 

Additionally, there is no teaching that the criterion is defined by a user (e.g., it 
appears that the database is searched for matches without any input from a user 
identifying which regular expressions should be used or what weight should be given 
to such expressions). In other words, claim 1 is not claiming the use of regular 
expressions to find a match but rather that the regular expressions are part of a 
criterion defined by a user that in turn are associated with a subject matter that is 
selected by the user with received input. These features are not shown or suggested 
by the web page analysis tool of Russell-Falla. 

Trcka does not overcome the deficiencies of Russell-Falla. Trcka does not 
teach a user selecting a category, defining criterion for inspecting network 
communications, and does not show that the categories may have regular 
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expressions. Trcka does not teach any specific type of analysis tliat would be 
performed on the raw data packets. Hence, Trcka does not teach the step of testing 
the stored communication for the presence of at least one user-defined criterion. 
Further, Trcka does not show monitoring TCP/IP network communications. Trcka 
stores raw data packets at a network communication at a data link or lower level (e.g., 
Ethernet packets or lower). This is data beiow the transport level, and below the 
TCP/IP level called for in claim 1 . Further, claim 1 calls for storing the communication 
in a conditional manner, "if the presence of at least one preselected criterion is 
determined. " Trcka teaches that all raw data packets are stored, not a process of 
storing some and deleting some as called for in claim 1. Russell-Falla does not 
explicitly teach storing any of the communication. Accordingly, the combination of 
Russell-Falla and Trcka does not suggest the invention of claim 1 . 

Moreover, there is no teaching in the references as to how such a combination 
would be achieved. The references appear to teach against the combination 
suggested in the office action. Russell-Falla deals with analyzing a web page before it 
is displayed whereas Trcka specifically captures data passively without interrupting 
delivery. Russell-Falla must analyze HTML pages, not network packets, whereas 
Trcka must capture network packets at a very low level. The two references, as taught 
in the references themselves, describe incompatible systems. Only Applicant has 
recognized and invented a way for performing text analysis akin to what Russell-Falla 
is doing on HTML pages in an offline manner within a network connection, akin to what 
Trcka is doing at a data link layer. 

Based on the foregoing discussion, Russell-Falla fails to teach the subject 
matter category selection by a user that the Office Action admits is not shown by 
Ranum or Trcka. Hence, claim 1 is allowable over these three references. Further, 
the above discussion shows that Trcka does not teach the storing, deleting, and 
storing steps of claim 1 . The following discussion shows that Ranum also fails to show 
the combination of these three steps - as well as having other failings. 
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Specificaiiy, turning to Ranum, the Office Action cites Ranum for substantially 
teaching each and every limitation of claim 1 . Applicant disagrees with this 
construction of Ranum. Ranum's Abstract describes its "Network Flight Recorder" or 
NFR as a "general purpose statistics-gathering system" that is useful for 'building 
network traffic analysis and statistical event records." To this end, packet suckers are 
implemented to collect data packets that are compared to filters in a decision engine 
and once "a packet has been applied against the filters, it is discarded." A record 
mechanism "passes a constructed data structure to a backend recorder for further 
processing," In other words, a filter is applied to determine if a data packet Includes a 
keyword or pattern that triggers an event, and if so, a constructed data structure is 
transmitted to a backend (such as a list backend or histogram backend) for further 
processing (such as developing statistics on network traffic such as visits to a 
particular URL, receipt of "spam", and the like). White the NFR provides statistics and 
monitors network traffic, it does so in a different way than called for in the method of 
claim 1 and fails to teach or suggest all the limitations (e.g., fails to overcome the 
deficiencies of Russell-Falla and Trcka). 

More particularly, the Office Action cites Ranum at page 1, points 2 and 3 and 

page 2 the first paragraph under Decision Engine for teaching the receiving step of 

claim 1 , Points 2 and 3 on page 1 states that "NNStaf had properties that include 

"flexible specification of types of events to record" and "flexible storage of information 

about the events that are observed/' This fails to teach receiving user input selecting 

a subject matter category for use in monitoring network communications, with "flexible" 

having many meanings and there not being any teaching of subject matter categories 

and only event types. At the citation on page 2, Ranum discusses using a list of filters 

to check packets in the decision tree, such as to develop statistics for TCP traffic. 

There is no discussion of receiving user input or that such input is used to select 

subject matter categories for monitoring traffic (e.g., there is no discussion that the 

filters are grouped into subject matter categories or that a user can provide input to 

select groups of such filters). Hence, Ranum fails to teach the receiving step of claim 
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1 , and Russell-Faila and Trcka fail to overcome this deficiency as discussed above. 
As a result, claim 1 is allowable at least for this reason. 

The Office Action also argues that Ranum teaches the testing step of claim 1 at 
pages 2 and 3 (Decision Engine), pages 5 and 6 (N-code filtering). Applicant 
disagrees because Ranum does not teach that its filtering is performed based on a 
user defined criterion or that such criterion is associated with the user-selected subject 
matter There is no discussion under the Decision Engine that the filters are 
configured to apply a criterion that is user-defined and associated with a subject matter 
category that is selected by the user. GUI are described at page 5 but these are 
related to the backends and no mention is made of a user selecting or configuring the 
Decision Engine or its filtering processes. The N-Code Filtering that is discussed 
starting on page 5 includes syntax of a filter but fails to discuss testing based on user- 
defined criterion that may include regular expressions and that are associated with a 
subject matter category selected based on user input. Claim 1 also calls for the 
testing to be performed on "the stored communications" whereas much of the 
processing of Ranum is limited to backend processing of created data structures 
rather than on the actual communications (e.g., the building of lists or histograms). 
Hence, Ranum fails to show the specific testing step called for in claim 1 

The Office Action further indicates that Ranum teaches the conditional deleting 
and storing (i,e,, the final two elements of claim 1) based on whether the preselected 
criterion is determined to be present in the stored communications. First, the deleting 
is said to be shown at page 2 in the second paragraph of the Decision Engine. Ranum 
teaches that once "a packet has been applied against the filters, it is discarded." This 
is not a conditional delete but instead teaches that all packets are discarded after that 
filter is applied to determine if an event has occurred. As a result, the deleting only 
when the criterion is not determined present is not shown or suggested by Ranum. 
The conditional storing is said to be shown with the "record mechanism" of Ranum. 
But, on page 2, the record mechanism is described as passing "a constructed data 
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structure to a backend recorder for further processing/' Apparently, this mechanism 
passes a constructed data structure to the backend recorder when called by a filter, 
but it is not described as passing the filter data packet, which was discarded after the 
filter was applied. Hence, Ranum fails to teach the conditional deleting and storing 
called for in claim 1 , and Russell-Falla and Trcka were not cited for overcoming these 
deficiencies. Claim 1 is believed allowable for this additional reason. 

Claims 2-4, 6-8, 12, 13, 15, 17-21, 23, 27-33, and 65-67 depend from claim 1 
and are believed allowable over Ranum, Russell-Falla, and Trcka at least for the 
reasons provided for allowing claim 1. Further, claims 4 and 19 call for the regular 
expressions to be "assigned a weight by a user" and "receiving user input assigning a 
value to said predetermined expressions," which are not shown by any of the three 
references. The Examiner states that Russell-Falla teaches weighting of regular 
expression because its training sets that are used after a complex learning process is 
carried out to weight expressions are created by humans. Claim 4 calls for a weight to 
be assigned by a user to a regular expression, and the cited teaching of Russell-Falla 
does not directly or even by inference teach that its weighting of expressions are 
assigned but instead teaches assigning weights by a neural network with the user 
being unable to control the output or weight value actually assigned. Claims 4 and 19 
are believed allowable for this additional reason. 

Claim 8 calls for the regular expressions with a negative value within a subject 
matter category to be processed before those with a positive value or weight. The 
Office Action states that Russell-Falla teaches that the order is ^'mathematically 
arbitrary" and so, it is obvious to do it in either order or that it is an arbitrary design 
choice. However, Applicant's specification describes the process of looking for 
matches for negative values first (see. Figure 2 and related text) as this better controls 
false positives while also limiting the amount of processing required in the testing step 
to determine the presence of the preselected criterion (e,g,, once a sum of the 
values/weights associated with the regular expressions equals or exceeds a threshold 
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the criterion is determined to be satisfied or present in the stored communication - so, 
it is beneficial to process negatively weighted expressions first to reduce false positive 
results while still not requiring that all positively weighted expressions be processed). 
This is not a mere design choice or an obvious requirement, and it is only motivated by 
Applicant's specification as Russell-Faila teaches summing all weights for the matched 
expressions. Claim 8 is believed allowable for this additional reason. 

Dependent claim 21 calls for the communication to be stored If the sum of the 
values of said predetermined expressions comprising a subject matter category equal 
or exceed" a threshold. Ranum is cited for its teaching related to the record 
mechanism. But, as discussed earlier, the record mechanism transmits a constructed 
data record to a recorder and not the data packets, which were discarded after the 
filter was applied. Hence, for this additional reasons, Ranum fails to teach the method 
of claim 21. 

Claims 31 and 33 are amended to cali for a portion of the stored 
communications to be provided in a user interface or in a report in the form that it was 
viewed or generated during the monitored TCP/IP network communications. The cited 
references fait to show this limitation. The Office Action cites Ranum at pages 3 and 4 
and its figures but these do not teach the requirement that the stored information be 
displayed as it was viewed or created during the monitored communications. Hence, 
claims 31 and 33 are believed allowable over the combined teaching of the references 
for this additional reason. 

Further, the Office Action rejected claims 9 and 10 under 35 U.S.C, §103{a) as 
being unpatentable over Ranum in view of Trcka and Russeii-Falla as applied to claim 
4 and further in view of U.S. Pat. No. 5,878,423 (^'Anderson"). This rejection is 
traversed based on the foHowing remarks. Claims 9 and 10 depend from claim 1 and 
are beiieved allowable over Ranum, Trcka, and Russell-Faila at least for the reasons 
provided for allowing claim 1 . Anderson is not cited for overcoming the deficiencies of 
these three references discussed with reference to claim 1 . 
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Also, the Office Action rejected claims 14, 22, 24, 25, and 26 under 35 U.S.C. 
§103{a} as being unpatentable over Ranum in view of Trcka and Russell-Faila as 
applied to claim 2 and further in view of U.S. Pat. No, 5,371 ,807 ("RegisteO, This 
rejection is traversed based on the foliowing remarks. Claims 14, 22, 24, 25, and 26 
depend from claim 1 and are believed allowable at least for the reasons provided for 
allowing claim 1 over Ranum, Trcka, and Russell-Falla, Further, Register fails to 
overcome the deficiencies of these three references discussed with reference to claim 
1. 

Still further, the Office Action rejected claims 34-36, 38, 39, 44, 47-55, 57-59, 
and 61-64 under 35 U.S.C, §103{a) as being unpatentable over Russell-Falla In view 
of Ranum and also in view of U.S. Pat. No. 5,835,722 ("Bradshaw"). This rejection is 
respectfully traversed. 

Claim 34 calls for the threshold used to determine whether a monitored network 
session should be stored is selected based on user input. The Office Action, at the 
bottom of page 15, states that Russell-Falla fails to teach "storing the data when the 
data is determined to be within a category," Ranum's record mechanism is again cited 
for providing such storing. However, as discussed earlier, Ranum teaches that data 
packets are discarded after a filter is applied and that a constructed record is passed 
to a recorder when the mechanism is called from a filter. Hence, Ranum fails to teach 
"storing the remaining data" step of claim 1 . Further, Ranum fails to teach that the 
threshold value for a category used for determining when storage occurs is selected 
based on user input. Bradshaw is cited but this reference at col. 7, lines 18-38 fails to 
discuss that a sum of values associated with predetermined expressions are 
compared to a threshold value that is set by a user for a category. Instead, Bradshaw 
only discusses setting addresses, email senders, keywords, and the like to be used in 
blocking communications. For these reasons, claim 34 is believed in condition for 
allowance. 

Additionally, claim 34 is amended to include the limitations of dependent claims 
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39 and 41 , which call for the expressions to be weighted with negative or positive 
weights. Claim 34 also now calls for the testing and maintaining of sum values to be 
halted once a sum of values exceeds a user selected threshold value. These new 
limitations are not believed shown by any of the cited references, and, particularly, 
Russell-Falia is not believed to show summing by processing negative weighted 
values first, Cleariy, Russell-Falta does not show halting other processing steps once 
the sum meets or exceeds a user defined threshold as this reference shows summing 
all weights for matched expressions. For these additional reasons, claim 34 is 
believed in condition for allowance. 

Further, as discussed in the prior Amendments, claim 34 calls for removing data 
content that does not contain language elements and then testing the "remaining 
content." The Office action cites a portion of Russell-Falla that relates to scanning an 
HTML page for regular expressions. It appears that the entire HTML page is used as 
input for analysis, including non-language elements. Russell-Faila does not show or 
suggest any activity of removing data content that does not contain language 
elements. At coL 5, lines 5-1 1 , Russell-Falla is said to teach 'Ihe act of identifying and 
analyzing natural language elements", and the Examiner argues that this is within the 
scope of the removing data step of claim 34. However, such identifying does not 
indicate or teach that the other content was removed or that later the "remaining data" 
is to be stored (i.e., not the removed content). Hence, the removing data content step 
is not shown by Russell-Falla. Ranum teaches creating a data structure for transmittal 
to a recorder but this data structure is not defined as data of a communication 
remaining after "data content that does not contain language elements" is removed. 
Bradshaw is not cited for teaching the storing element of claim 34. For these 
additional reasons, claim 34 is not shown or suggested by the combined teaching of 
the references. 

Further, as discussed in prior Amendments, Russell-Falla does not show or 
fairly suggest capturing data on a network comprising multiple half sessions of TCP/IP 
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network communications. An HTML page comprises text data extracted from one or 
more TCP packets that are assembled at the browser according to the HTML rules. 
HTML is a markup language, not a protocoL Accordingly, an HTML page does not, by 
itself, define a ''session'* or "half session". An HTML page, like any computer file, may 
be delivered over a network communication protocol, however, the HTML page is itself 
entirely independent of any particular network communication protocoL Hence, an 
HTML page is by and intent design entirely unaware of any concept of "session" that 
exists on the network itself and so cannot satisfy the claim limitation "wherein the data 
comprises multiple half sessions,,." appearing in claim 34. 

The HTML page is distinct from a TCP/IP half session. Significantly, the a 
TCP/IP {or other network level) communication typically includes a wide variety of non- 
HTML information. This data may include header information, cookies, parameter 
information, and the like. In some cases the network communication may include 
malicious (or benevolent) code or hidden data that "piggy backs" on the network 
communication packets used to deliver an HTML page. This is equally true of other 
applications such as email, instant messaging, and the like. This piggy backed data is 
not a part of the HTML page in Russell-Falia, but it is a part of the captured half 
session in claim 34. Hence, this data will escape analysis in Russell-Falla but will be 
subject to monitoring by the invention of ciaim 34. 

Claims 35, 36, 38, 39, 44, and 47-54, which depend on claim 34, are allowable 
for at least the same reasons as claim 34 set out above. Also, claims 52 and 54 are 
believed allowable for the additional reasons provided above for claims 31 and 33. 

Independent claim 55 is directed to a method with limitations similar to those of 
claim 34, and, as a result, the reasons for allowing claim 34 are believed equally 
applicable to claim 55. 

Additionally, claim 55 is amended to call for ^'removing data content that does 
not contain language elements and storing a remaining content comprising a string of 
language elements separated by spaces without regard to original formatting of the 
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captured TCP/IP data." After this normalization function is performed on the captured 
network data the remaining content is protocol and data format independent, which 
allows later processing using generic patterns that are protocol and document 
independent (e.g., the "predetermined expressions" used in the testing step do not 
have to be configured to be useful with specific communication protocols or specific 
document or data formatting). The generation of such normalized data or "remaining 
content" is not shown or suggested by any of the three cited references. 

Specifically, none of the cited references teach a method of transforming digital 

data that is captured or collected from network traffic into a normalized form before 

applying predetermined expressions (such as patterns or regular expressions) to the 

data. Russell-Falla teaches implementation of patterns for filtering and analysis of 

HTML pages. The patterns described in Russull-Falla are specific to this data form or 

to HTML and, hence, there is no need for the normalizing or removing step of claim 

55. Ranum's N-Code, as discussed above, is taught to be applied to TCP Session 

Control information, and there is no teaching of the removing and storing of remaining 

content as called for in claim 55. Trcka teaches filtering by using TCP Session Control 

information, IP addresses, time stamps, and other network transmission information, 

but Trcka fails to teach or suggest the removing and storing of format independent 

data that can more easily be tested for predetermined expressions as called for in 

claim 55. As can be seen, none of the three cited references teach transformation of 

captured network data into a normalized form such as "a string of language elements 

separated by spaces without regard to original formatting." In fact, the references 

such as Russell-Faila require the processes data to have a particular form for their 

techniques to be effective whereas the method of claim 55 is protocol and format 

independent. The Office Action cites Russell-Falla at col. 5, lines 5-1 1 , but Applicant's 

believe the amended language clearly distinguishes this portion of Russell-Falla that 

merely discusses scanning a page to look for regular expressions without teaching the 

storing of the remaining content as called for in claim 55. For these additional 

reasons, claim 55 is not obvious in light of the combined teaching of the references 
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because they fail to show the removing data content linnitation in its amended form. 

Yet further, claim 55 calls for, among other things, "defining categories with 
weighted predetermined expressions" (emphasis added) and "maintaining a sum of 
values associated with said predetermined expressions found within each category." 
These features of claim 55 are not shown or suggested in Russell-Falla at the cited 
col. 4. lines 45-67 which only discusses content that can be searched for in a web 
page but does not teach applying multiple, defined categories and then, maintaining a 
sum of values for each one of multiple categories. Applicant maintains the position 
that Russell-Falla teaches away from using multiple categories. Moreover, if one were 
to modify Russell-Falia as suggested in the Office action, one might, by happenstance 
or invention, come up with the solution called for in claim 55. However, that solution is 
not taught or suggested by the reference itself. Further, claim 55 calls for storing the 
remaining data if the sum of values associated with said predetermined expressions 
present within a category exceeds a threshold value. As discussed with reference to 
claim 34, this is not shown by Russell-Falla or in Ranum and Bradshaw. For at least 
these reasons, claim 55, and claims 57-59 and 61-64, which depend from claim 55, 
are allowable over the cited references. Also, claim 64 is believed allowable for the 
additional reasons provided for claim 31. 

Additionally, claims 40-43 were rejected under 35 U.S.C. §1 03(a) based upon 
Russell-Falla in view of Ranum and Bradshaw as applied to claim 39 and further in 
view of Anderson. Claims 40, 41 , and 43 are cancelled with some of their limitations 
being added to base claim 34. Claim 42 depends from claim 34 and is believed 
allowable over Russell-Falla, Ranum, and Bradshaw for the reasons provided for 
allowing claim 34. Anderson is cited for teaching prioritization, but Anderson fails to 
teach the limitation of claim 42 that the expressions having positive and negative 
values be processed separately and that the larger absolute values be processed first. 
Russeli-Falla is cited for not requiring an order, and the Examiner argues that this is 
mathematical arbitrary and/or a design choice. With the limitations added to claim 34, 
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the order of processing is not arbitrary as it will have a real effect on when the testing, 
maintaining of sum values, and storing steps are performed and the number of 
expressions that need be evaluated (e.g., processing may halt after only one or more 
positive value expressions are evaluated if a sum matches or exceeds a threshold but 
acting on negative values first reduces the risk of false positives; in contrast, Russell- 
Falla appears to teach that all expressions are matched and an overall sum obtained 
but not a cumulative one that is compared with a threshold on a step-by-step basis). 
For these reasons, claim 42 is believed allowable over the cited references. 

Still further, the Office Action rejected claims 45, 46, and 56 under 35 U.S.C. 
§1 03(a) as being unpatentable over Russell-Faila in view of Ranum and Bradshaw as 
applied to claim 34 and further in view of Register. This rejection is also traversed 
based on the following remarks. Claims 45 and 46 depend from claim 34 and are 
believed allowable at least for the reasons for allowing claim 34, Claim 56 depends 
from claim 55 and is believed allowable at least for the reasons for allowing claim 55. 
Register does not overcome the deficiencies of the other 3 references as discussed 
with reference to claims 34 and 55. 

Finally, the Office Action rejected claim 68 under 35 U.S.C. §1 03(a) as being 
unpatentable over Ranum in view of Trcka and Russell-Falla as applied to claim 1 and 
further in view of U.S. Pat. No. 5,850,388 (C. Anderson). Claim 68 depends from 
claim 1 , and hence, the reasons for allowing claim 1 over Ranum, Trcka, and Russell- 
Falla are applicable to claim 68. Further, claim 68 is amended to clarify how the 
matching of known protocols is used to enhance processing of a stored 
communication, As amended, the method of claim 68 is not believed to be shown by 
C. Anderson. C. Anderson is cited for teaching protocol identification in a data stream, 
but this reference does not teach testing of independent parts of a communication for 
preselected criterion based on an identified known protocol pattern. For this additional 
reason, claim 68 is believed in condition for allowance. 
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Conclusion 

In view of all of the above, it is requested that a timely Notice of Allowance be 
issued in this case. If the Examiner disagrees with this conclusion, Applicant 
respectfully requests that the Examiner grant the Applicant the opportunity for a 
telephonic interview at his convenience. 

The fee associated with a time extension is provided with this filing. No other 
fee is believed due with this response, but any fee deficiency associated with this 
submittal may be charged to Deposit Account No. 50-11 23. 




Respectfully submitted 




Kent Lembl<e, Reg. No. 44,866 

Hogan & Hartson llp 

One Tabor Center 

1200 17th Street, Suite 1500 

Denver, Colorado 80202 

(720) 406-5378 Tel 
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